Because of differences in the OS versions, the same exploit code cannot be used, the researchers said. However, what can be accomplished by malware is the same.

The flaws make it possible for a malicious app to bypass a VPN (virtual private network) configuration and redirect the secure data communications to a different network address. The data is rerouted before it is encrypted.

The KitKat flaw is somewhat similar to what the same researchers found last December in Samsung's Knox security platform. That vulnerability could let a malicious app intercept files on Samsung S4 devices before they are stored in a secure Knox container.

Google and Samsung dismissed the reported Knox flaw, saying in a statement that the researchers' exploit "uses legitimate Android network functions in an unintended way to intercept unencrypted network connections from/to applications on the mobile device."

In essence, the researchers demonstrated a "class man-in-the-middle attack," which could be launched at any point on the network to capture unencrypted data, Google and Samsung said. The researchers did not exploit an actual vulnerability.

If the latest vulnerabilities prove to be real, then they should be fixed quickly, John Pirc, chief technology officer for security software tester NSS Labs, said. However, if Google finds that the flaw is in the network stack, "that is not trivial to fix."

In addition, any patch on Android takes time to reach users because it has to be rolled out by wireless carriers and device manufacturers.

In the meantime, Henry advises businesses to set their mobile device management systems to alert IT staff of any changes in the security settings associated with the VPN of an Android smartphone or tablet.

This story, "VPN flaw reported in latest version of Android" was originally published by
CSO.